Custom OIDC token data : passing metadata to "Generate a Signed ID (OIDC) Token"

jmls · September 1, 2021, 11:53pm

I had an itch to scratch - I wanted to create an oidc token with some “custom” data. I looked at the templating option on the oidc role, but it only allowed entity metadata to be used.

So, I fired up vscode, figured out where I should hack the code (this is my first time writing any go code) and added a parameter to the method call.

if you pass this parameter in, it overwrites the entity metadata, so you can now access whatever custom fields you want in the template

So, if I now write an oidc role with this

vault write identity/oidc/role/foo_role key=foo template="{\"myfoo\":{{identity.entity.metadata.somefoobar}}}"

and then generate a token like so

vault read identity/oidc/token/foo_role metadata=somefoobar=this_is_custom_data

I get a token that decodes to this


{
  "aud": "f8NhA8DxKVhJz31TdkHwuU2iSh",
  "exp": 1630626558,
  "iat": 1630540158,
  "iss": "http://0.0.0.0:54321/v1/identity/oidc",
  "myfoo": "this_is_custom_data",
  "namespace": "root",
  "sub": "9586e035-1bb7-b9de-a1c6-a7095d7de1d2"
}

notice the “myfoo” key

if this would be useful to someone, I could post a pull request

jeffsanicola · September 2, 2021, 11:45am

I could see that being useful, nice work!

Something similar might be useful for using templates in allowed_parameters (and other fields) within policies: Policies for policies - #7 by HelenCousins

Topic		Replies	Views
Identity token API template syntax Vault	2	86	February 26, 2024
Accessing secret-id specific metadata from identity template Vault	2	325	February 11, 2023
Custom Vault Entity Name from OIDC (Azure) Vault	1	192	February 28, 2023
Mapping a custom Entity name or Alias from an OpenID Auth Response Vault	1	284	April 30, 2020
TLS Certificate auth method, and policy templates referring to OID extensions Vault	5	1248	January 18, 2021

Custom OIDC token data : passing metadata to "Generate a Signed ID (OIDC) Token"

Related topics